By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Ready for a history lesson? How about some thoughts on convergence, information sharing, relationship management or developing a strategic plan?

If you answered yes to any of those, then feel free to turn the page and read personal essays from the 2008 Security 7 Award winners. In their own words, this year's selections lay out their takes on these topics and more, drawing from years of experience in building security programs, executing important projects and meeting rigorous corporate and regulatory demands. This is the fourth year Information Security has handed out the Security 7 Awards, but the first time we've afforded our winners such a forum. Security professionals need to be heard, and you need to read what they have to say.

Security practitioners frequently face the challenge of how to help their organizations deal with threats to information assets. Too often, they must focus on the negative part of the job: stopping bad actors, preventing attacks, patching systems and detecting insider threats. These activities are absolutely necessary, but, after a while, these tasks can become, at best, tiresome, and at worst, an excuse for dismissing opportunities to remain relevant and solve other problems.

In 2007, the Motorola information security team started a project to find better ways to protect key information assets while also enabling employees to be more innovative. First, we changed the way we looked at firewalls. The perimeter firewall has been a primary tool for protecting networks, enabling appropriate connections to the outside and controlling unauthorized traffic in and out of the enterprise. While providing protection, this also creates barriers to the kind of ad hoc, unstructured and unpredictable needs for communication that are imperative in the age of mobility.

So we implemented a novel security concept called enablement zones (E-zones), a logical collection of users, software applications and systems that have similar need for connectivity and protection. They embrace the need for increased protection without suppressing innovation and mobility. E-zones facilitate sharing of information with mobile employees, business partners and customers, while improving the protection of critical data. For the more than 65,000 individuals in 50 countries, E-zones eliminate the traditional corporate firewall perimeter and historical friction that security compliance generated. A business unit, department or functional unit can support any number of E-zones, and there can be any number of systems per zone. E-zones can be short-term or permanent.

secure collaborationPerimeter Busterby Bill Boni

The E-zones architecture abolishes the status quo concept that physical location is a reliable measure for protecting organizations against risk of information leaks. E-zones empower business managers to select the right balance of network protection and connectivity for their applications and other digital assets.

Roles organized and defined for any business, operational, financial or risk management criteria

A specific level of network performance and quality of service.

The business benefits are dramatic. E-zones slashed secure partner integration time from two months to days, enabled deployment of business-critical dashboards to more than 10,000 smart phones, and facilitated collaboration by more than 60,000 staff members.

E-zones are vital to the company's culture of innovation, increasing flexibility for interpersonal and interorganizational communications with substantially reduced friction to the creative processes essential for new products. The results prove we can have better protection with increased flexibility, a necessary combination in the hyper-competitive global marketplace.

btw...

biggest security worryThat the "bad actors" have now gone covert, and will be (or perhaps already are) using sophisticated exploits to commit crime and information theft...some of them with the advice and assistance of their national intelligence service.

military buffDowntime includes reading up on history, hand painting military miniatures and playing tabletop war games.

bookshelfMust have: Sun Tzu's The Art of War. "Technology changes (rapidly!), but the essential principles of conflict between opponents remain unchanged over the centuries."

security heroBenjamin Franklin, for being instrumental in establishing the country's first police force.

building relationshipsRelationship Expertby Mark Burnette

Making connections inside and outside the enterprise helps foster a healthy security organization and career.

Collaboration with vendor ArcSight to develop custom event collectors for each Gaylord property, as well as a master collector at headquarters.

Organization monitors 79 million security events daily.

Events are correlated to 20 that are investigated by Burnette's team.

Strategy saves up to 2 GB of storage daily.

Distributed collectors provide a measure of fault tolerance.

When I was in high school, a man from Junior Achievement spoke to our class. He told us that many times in the business world, opportunities come about by who you know, rather than what you know. The speaker was not telling impressionable high school students that their education wasn't important. Rather, he was pointing out that education is one of many life experiences needed for success in the business world.

He was right: The ability to build and leverage strong relationships is indeed a key element in the success of today's information security executives. To build a successful program, CISOs must align themselves with many departments within the organization, including internal audit, legal, HR and, sometimes the most difficult, their own IT department. If any of the leaders in these groups don't recognize and appreciate the role of the CISO, the CISO's effectiveness will be significantly weakened, because an opposing senior executive may create roadblocks or delay progress.

Throughout my career, many of my work experiences have been created through business relationships I've developed with my peers and other security leaders. My first invitation to go into the boardroom came about because my company's external auditors suggested to the CFO and CIO that information security would be a relevant topic of discussion for the audit committee. Of course, the exposure to my company's senior executives through my board presentation proved invaluable in furthering many of the security initiatives we were working toward.

Several jobs I've held were offered to me because of relationships I made with someone working at those organizations. Each job provided even more opportunities to build relationships with coworkers and vendors, which provided additional learning opportunities and career development. In each role, effectively collaborating among teams and implementing security technologies in innovative ways has been a key tool for building rapport and strengthening ties among IT staff.

For example, when we rolled out a SIM at one company I worked for, we provided the remote IT teams with view-only access to the event console; this gave them additional visibility into their environments. More importantly, this gave them a sense of ownership of the initiative and the tool, helping ensure their ongoing support for our critical monitoring initiative, which otherwise risked being viewed as "big brother" spying on them. In another organization I worked for, a strong relationship with the legal department provided the support needed to get a critical compliance initiative funded.

I am honored to win the Security 7 Award. There are many leaders within the security profession who are deserving of this recognition. The interesting thing about being recognized by your profession is that you have to be nominated by someone who believes you worthy of recognition, which, like most other opportunities, stems from the development of strong working relationships. I guess that Junior Achievement guy was pretty sharp indeed.

btw...

unwinding with ... sitcomsBig fan of "According to Jim," "Two and a Half Men" and his all-time favorite, "Coach."

hometown teamFavorite professional sports franchise: Tennessee Titans

what you don't knowBiggest security worry is the unknown: "If a risk is known, even if it isn't adequately addressed yet, it can be quantified and communicated. [Unknown risks] are ones that can really bite an organization."

he's got pipes tooSings in an a capella quartet, and harbors dreams of being a professional vocalist.

security for the massesPrimary Careby Michael Mucha

Security cannot be a discipline unto itself; it must serve all entities in the enterprise.

Michael Mucha

TITLE Chief information security officer

COMPANY Stanford Hospital

INDUSTRY Health care

KUDOS

Manages a 30-person security team.

Primary focus is security risk to student and patient data, compliance and business considerations.

Relies on outsourcing and software as a service to address operational security tasks.

Built an ecosystem of vendor technologies, services and support to augment the experience of his team.

In the midst of a four-year clinical information security project that addresses privacy and regulations.

Helped create the Stanford University Medical Center Network, a secure collaboration and communications network enabling appropriate access to apps, research and administrative systems.

An executive I barely know recently dropped off a parcel in my office, something I was nonetheless expecting. A few hours later he mentioned it to me in a meeting, with both humor and trepidation: "I was nervous about going into the security officer's office when he wasn't around." Hearing that I thought, "My office doesn't have a whole lot of sensitive data in it. I don't have access to the financials. The HR investigation reports are on a server elsewhere. My screen is locked. Why should my office be a little fortress, compared to the cubicle the junior accountant populates?"

Sensing that the particular moment wasn't right for a speech on security philosophy, I quipped, "You know, it wasn't a problem because the lasers didn't activate." This drew hearty laughs.

This anecdote illustrates a commonly held belief that security is not a meta-discipline that serves all walks of enterprise life, but rather that "security is what security people do." Lay people, i.e., those who aren't full-time security pros, tend to think about security to the extent that security people bug them about it. Security is a bunch of paranoids creating ridiculous things with lasers and so forth, while the business moves along on its own.

security for the massesPrimary Careby Michael Mucha

A lot of this is the fault of security professionals. Far too many of us see security as an end unto itself. Many don't realize that simply finding a policy violation does not equal success. It's no wonder those outside of security often treat security as some weird realm to be entered at your peril. This attitude places an upper limit on meeting security requirements, because security activities are generally viewed somewhere between necessary evil and unnatural act. The security team walks into meetings with the de facto goal of serving as a random requirements generator lobbing overhead onto the project, rather than consciously moving the business forward by solving problems using a specialist's toolkit.

Some people, when given a hammer, would rather hit someone with it instead of using it to build a house.

In our corner of the enterprise world, the security team is composed of Security Conscious Problem Solvers (credit my enterprise security architects Bryan McDowell and Barbara Vibbert for this phrase). We're here to solve business problems, and recognize that when your eye is on the ball of customer satisfaction, revenue, scalability, connectivity, etc., you can miss out on the need to cover security requirements as well. Security work needs to promote business needs, not just implement some set of rules that looked good in the abstract when someone wrote them down. The intent of the rules needs to be understood. The rules need to be clear and repeatable as much as possible.

The security team always needs to be open to the possibility that the rules are wrong and need to be changed. That's harder than saying "No" formulaically, but it's sustainable in the long run.

btw...

not so twitter-iFIC"It's a service to subscribe to interruptions."

ipods are for..."Most of the time, it's iTunes U, tech and science podcasts. Duguid's History of Information class at Berkeley is an eye opener."

Provides a single risk management resource for business and support units.

Chairs Guardian's operational risk management subcommittee.

Program reports to Guardian's risk management committee and audit committee of the board.

Developed and instituted a building permit process, in conjunction with the corporate project management office, that evaluates risk in IT and business projects.

Active member of the Financial Services Information Sharing and Analysis Center.

A prominent executive, inspirational leader and mentor I know tells me time and time again that successful business, like life, means taking calculated risks, overcoming challenges and obstacles, and maximizing new opportunities. In many cases, this means embracing new ideas and charting new territories.

Security organizations need to enable, not inhibit, these opportunities, fortify the road they take and ultimately build confidence in the country's critical financial services infrastructure. Just as we insure our families to protect their future, we must also insure the financial services infrastructure in order to be strong and resilient in the face of growing threats for generations to come.

We can realize this vision in two steps: integration with operational risk and information sharing.

Through these two steps, we position our organizations to maximize performance and productivity, take calculated risks that are in the best interest of shareholders and customers, and more efficiently adapt and respond to our changing environment and the threat landscape.

convergence and information sharingConvergence Modelby Marc S. Sokol

Operational risk is naturally present in all business activities and incorporates a broad range of risks, including reputation, legal and regulatory risk; business disruption and system failures; information security and privacy; employment practices and workplace safety; processing errors; theft and fraud; and damage to physical assets. An organization's ability to drive an effective and practical operational risk management program with corporate-wide governance practices, values and integration sets the foundation for managing these risks effectively. This foundation can be further fortified if we are willing to advance opportunities to converge security and operational risk management disciplines and to share information--resulting in more efficient and effective business services.

Information sharing also means actively participating in external information sharing forums with peer companies. One such example is the Financial Services Information Sharing and Analysis Center (FS-ISAC), founded under presidential directives and embodying a public-private information sharing partnership. Forums like FS-ISAC create a virtual fusion center where ideas, threats and intelligence can be gathered, analyzed and communicated efficiently.

By sharing, issues are identified early in order to contain and resolve risk, impact and exposure to participating organizations. More importantly, it provides a platform to team up against terrorism and other threats that impact our industry and day-to-day lives. By participating in initiatives like the FS-ISAC, we are not alone.

Ultimately, I believe that breaking down the barriers to convergence and information sharing is a broader responsibility we all share--and only by working together can we protect the future of this country's critical financial services infrastructure.

btw...

inspirationSteve Katz, known to many in the financial services community as the grandfather of information security and world's first CISO.

must-have bookNot a security book: Crucial Conversations­–Tools for Talking When the Stakes Are High by Kerry Patterson, Joseph Grenny, Ron McMillan and Al Switzler.

guitar heroJohn Mayer is a favorite, in particular "Say" and "Route 66."

industry progress and attitudesProgress Reportby Gene Spafford

Uniform security among IT systems is nonsensical, yet that attitude still prevails in many instances.

Gene Spafford

TITLE Executive director, Center for Education and Research

in Information Assurance and Security (CERIAS)

Organization Purdue University

INDUSTRY Education

KUDOS

Founder and executive director of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University

Renowned adviser to government and industry.

Along with Steve Weeber, is credited with defining the concept of software forensics and aiding in the first prosecution of a virus writer.

Developed and released the COPS network security scanner.

Along with Gene Kim, developed the first free intrusion detection system, Tripwire.

Coauthored the seminal Practical Unix Security with Simson Garfinkel.

I'd like to introduce a theme I have been speaking about for nearly two decades by taking a long view of computing. Fifty years ago, IBM introduced the first all-transistor computer (the 7000 series). Transistors were approximately $20 apiece, and storage was about 10 cents per byte (both measured in current dollars). Costs and capabilities have changed by a factor of tens of millions in five decades.

Yet, despite the incredible transformations in hardware, operating systems, databases, languages and more, overall information security may be worse now than it was in the 1960s. We're still suffering from problems known for decades, and systems are still being built with intrinsic weaknesses, yet now we have more to lose with more systems coming online every week.

Why have we failed to make appreciable progress? In part it is because we've been busy trying to advance on every front, and have every system perform all possible tasks. There is a general lack of awareness that security needs are different for different applications; instead, people seek uniformity of OS, hardware architecture, programming languages and beyond. Ostensibly, this uniformity is to reduce purchase, training and maintenance costs, but fails to take into account risks and operational needs. Such attitudes are clearly nonsensical, so it is perplexing they are still rampant in IT.

industry progress and attitudesProgress Reportby Gene Spafford

For instance, imagine buying a single model of commercial speedboat and assuming it will be adequate for bass fishing, auto ferries, arctic icebreakers, Coast Guard rescues, oil tankers and deep water naval interdiction--so long as we add on a few items. Fundamentally, we understand that this is untenable and that we need to architect a vessel from the keel upward to tailor it for specific needs, and to harden it against specific dangers.

Why can't we see the same is true for computing? Why do we not understand that the commercial platform used at home to store Aunt Bee's pie recipes is not equally suitable for weapons control, health care records management, real-time utility management, storage of financial transactions and more? Supporting everything in one system results in unwieldy software on incredibly complex hardware chips, all requiring dozens of external packages to rein in problems introduced by the complexity.

The situation is unlikely to improve until we start valuing good security and quality over the lifetime of our IT products. We need to design systems to enforce behavior within each specific configuration, not continually tinker with general systems to stop each new threat. Firewalls, IDS, antivirus, DLP and even virtual machines are used because the underlying systems aren't trustworthy.

A better approach would be to determine exactly what we want supported in each environment, build systems to those more minimal specifications, and then ensure they are not used for anything beyond those limitations. To use some current terminology, that's whitelisting as opposed to blacklisting. It's also craftsmanship--using the right tools for each task at hand, as opposed to treating all problems the same because all we have is a hammer.

As an academic, I see how knowledge of the past combined with future research can help us have more secure systems. The challenge continues to be convincing enough IT professionals that "cheap" is not the same as "best," and that we can afford to do better. After all, we no longer need to pay $20 per transistor.

btw...

intolerable toleranceBiggest security worry: "Once we begin to tolerate or accept bad behavior, we've lost the battle against it."

polar oppositesHas visited Tasmania and the Isle of Jersey, as well as Tromso, Norway, which is north of the Arctic Circle.

If you weren't a security professional, you'd be a...Teacher/professor. "That's actually what I consider myself to be first and foremost now, with inventor second."

I still remember my first days online. I had my XT PC with a fast 4 MHz processor, a 10 MB drive and a whopping 640k of RAM, for which I paid a fortune. DOS 5.0 took a few seconds to load, and then browsed my drive using Norton Commander to launch a Telemate terminal. The thing was magical; you typed ATDT and then the phone number, and my 2400 baud modem was singing for a few seconds before you were online.

I remember the excitement I felt after seeing the banner and saying, "Awesome, I'm online! Now what?"

I had some friends who warned me not to forget the floppy drive inside, because the Michelangelo virus was in circulation. Nobody knew much about what that meant, but we started buying antivirus software. There weren't many options back then, so I got my F-Prot package on a floppy that you installed and set up in about a minute. Also, now I had a reason to log in to my BBS [bulletin board system] to download the antivirus definitions once a week.

Back then there was not too much worry about security in the corporate IT environment--not on Novell or on NT 3.5. My first manager once said to me, "This NT box runs non-stop for three months, and then it crashes itself. What is the reason to patch it? Or even install antivirus to slow it down?" Of course this all changed once viruses began hitting the boxes, and we were staying all weekend to rebuild them. Then our mindset shifted to paranoia, and we started the patching process.

a personal history lessonMemory Laneby Martin Valloud

I learned a lot about security and the patch management process during those days, patching NT servers at 3 a.m. and praying for the servers to come back online after the restart. Backups were done once a week if at all, and offsite tape storage was just a fantasy.

Information services on the Web were just starting too. A few forums were available about security, and people were talking about how the Ping of Death can bring systems down if SP4 for NT hadn't been applied. At that point we all started deploying service packs, and our transition to full-time paranoia mode was complete.

These days of course, you would not even consider connecting your box to a production network unless it had the latest service pack, patches, antispyware, antivirus, a firewall, and was properly maintained.

Today we have more reliable OSes. We have patching solutions that scan and patch thousands of servers, compliance tools, auto-update antivirus, group policies that secure the servers, firewalls and IDS. We have rootkit detection, daily backups, off-site storage, books, forums, blogs and more. And still, you'll never have a 100 percent secure box, unless of course the network cable is disconnected.

Security is a never-ending story. It changes and mutates, gets better, faster, more complicated and fun. Sometimes, though, I miss the old BBS days.

btw...

blog stops

Trika's Blog for Microsoft

Rory McCaw's MOM Blog (Microsoft Operations Manager)

plan bIf I wasn't running security for a large telecommunications giant in Canada, I'd be a parachuting instructor.

exotic escapeA small town in the South of Chile called Punta Arenas, located where the Atlantic and Pacific oceans meet.

COMPANY California Office of Information Security and Privacy Protection

INDUSTRY Government

KUDOS

Appointed in April to this new office by Gov. Arnold Schwarzenegger.

Former Naval cryptology officer.

Six years as Colorado CISO.

Proactive about data protection and governance.

Developed a Data Governance Working Group that defined the data security lifecycle for state agencies.

Initiated a threat and vulnerability management program (TVMP) that reviews and tests Web applications for security issues.

Other initiatives:

Enterprise, statewide security policies

Critical system inventory program

Laptop encryption deployment

Incident response program

Outreach and training programs

I've spent considerable time recently pondering that mystical subject called strategic thinking. I'm not sure why it's considered mystical, but as I talk to colleagues in the public and private sectors, people roll their eyes and take on an aura of resignation when they talk about developing a Strategic Plan.

After some interesting discussions over the years, I've concluded that much of our strategic thinking efforts and subsequent strategic planning amounts to little more than brainstorming drills that happen to occur around a certain time each year. The result is typically more of a tactical plan than a real strategic vision for our security organization. Why?

Here's an interesting thought--we're in a tough business where decisions can (and do) cost a CISO his or her job, so when it comes to dividing resources between the strategic-of-the-future and the tactical-of-the-now, perhaps it's simply a personal economic decision to keep a roof over one's head and bread on the table. Maslow said it first! Can you relate?

strategic planningPrerequisite Strategyby Mark Weatherford

When the wolves are at the door--and they're at the door every day--it can be difficult to focus strategically on where we think the threat may be in three or five years and what our reaction should be. That, however, does not preclude the requirement for the CISO to set the strategic course.

So once a year, we gather our team at an off-site meeting to create--drum roll, please--the Strategic Plan, which often ends up being more tactical than strategic. The result is that we end up without a true strategy because we haven't devoted the deep thought necessary to create a vision worthy of being called a Strategic Plan. I've done the annual strategic plan dance more times than I care to admit because creating a Strategic Plan takes real time and real effort, which is difficult to justify when you find yourself in more of a firefighter role than a CISO.

Perhaps if we'd done a better job as an industry in our strategic planning and thinking, we wouldn't be overrun with the poorly coded applications we have today that just beg for a hacker's attention. In retrospect, my strategic thinking should have focused more on these kinds of big problems that have business implications, because as we all know, business is typically what suffers when you have a security incident. I knew legacy applications were vulnerable to the kind of command-execution and client-side attacks we are seeing today, and you probably did too. Have we just been too focused on Patch Tuesday vulnerabilities or the latest vulnerability assessment results? When did application security show up on your Top 5 list of things to worry about? Think about it--we've known about the problem of protecting personally identifiable information for years, but when did it be-come your No. 1 priority?

I think times are changing in most business circles, and hopefully security is finally being appreciated as being business critical. Perhaps not always happily, but recognized nonetheless, due to the growing regulatory environment, increasing requirement to protect intellectual property--and in the government sector, the need to guard our citizens' perception that we are protecting their personal information. So while it takes a degree of boldness to look into the future, I believe CISOs neglect true strategic planning at their peril because real success is impossible without the road map a strategic plan provides.

my famous bossAppointed by Gov. Arnold Schwarzenegger to the newly created Office of Information Security and Privacy Protection.

security herosAlan Paller of the SANS Institute and Alfred Ouyang of MITRE Corp.

last vacationWhite water rafting in Colorado, where he also competed as part of a team that ran the 195-mile Wild West Relay race.

Q&A Catching Up with... Dorothy DenningBY MARCIA SAVAGE

A professor and information security pioneer, Dorothy Denning won the 2006 Security 7 Award in education. She continues to teach at the Naval Postgraduate School in Monterey, Calif., with a focus on cyberterrorism and cyberwarfare.

ON THIS SUMMER'S DDoS ATTACKS ON GEORGIAN GOVERNMENT WEBSITES: I haven't seen any good evidence it came from the Russian government, but who knows. Clearly a lot of hacker activists were involved in that, much the same as with Estonia. You could see Web forums where Russians were advocating conducting these attacks and telling people how to do them.

ON THE POTENTIAL FOR CYBERWARFARE AND CYBERTERRORISM: I don't know; I don't like to speculate too much. There are plenty of people who are happy to do that, and tell you either there's nothing to worry about or we really should be very worried because they'll go after the electric grid and all that kind of stuff. I don't know what will happen. The history of it is that it seems to be something mostly that people do on their own initiative, maybe in small groups. It looks more like hacker warfare to me. You have conflicts taking place on a state level, but now what you have are these citizen warriors who are joining in and doing their thing. It's kind of chaotic; I don't think the state has control over it. Maybe some governments inspire it, and maybe they sort of condone it by not doing anything about it.

ON HER CURRENT CLASSES: One is on Conflict in Cyberspace; we look at the cyberwarfare issues. We don't do too much in the way of security in that class, although in the class next week, we look at the broad homeland security issues. The other class I teach is called Trust Influence in Networks, but it's about social networks, so a lot of it is just on building trust, social influences and underground networks and how you might undermine terrorist networks. I do a lot on terrorist networks. It's more psychology and social science; it's nothing about information security.

ON HER RECOMMENDED READING: One of the best books I've read in the last year on security is Geekonomics by David Rice. He looks closely at all the problems that come from faulty software. You start thinking about should there be more liability put on the vendors, should there be more requirements put on the vendors to develop better software, how do we deal with that issue. It's a very thought-provoking book; I recommend it.

by the numbers

SOCIAL NETWORKING SCOREBOARD LinkedIn or Facebook? Our Security 7 winners are unanimous in their LinkedIn love.LinkedIn 7* *Four of our winners also have Facebook profiles.

ELECTION DAY The 2008 Security 7 winners like Barack Obama for president by a narrow margin: *Four v. Three

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy